Snort mailing list archives
Re: does snort pick up lthe izamoon attack?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 01 Apr 2011 11:25:53 +1300
On 04/01/2011 11:17 AM, Alex Kirk wrote:
Detecting compromised pages should be trivial: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS lizamoon.com <http://lizamoon.com> SQL injection compromised page"; flow:established,to_client; content:"script src=http|3A 2F 2F|lizamoon.com <http://lizamoon.com>|2F|ur.php"; nocase; classtype:trojan-activity;)
Hi Alex Not quite so trivial. For one thing they aren't using lizamoon.com any more... For another, you are picking up users downloading from infected sites, and I'm after picking up attacks against our webservers. I was more asking if the existing SQL injection attack rules pick up the thing, or if someone had weblogs of the actual attack and had written rules to pick it up based in its behaviour beyond the hostname it points to - as that is being rotated. e.g. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"lizamoon SQL injection attack"; flow:established,to_server; content:"script src=http|3A 2F 2F|"; content:"ur.php";within:50; nocase; classtype:web-application-attack;) might be better - but that assumes they're not doing fiddly urlencoding/etc. I dunno - I haven't seen it -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- does snort pick up lthe izamoon attack? Jason Haar (Mar 31)
- Re: does snort pick up lthe izamoon attack? Alex Kirk (Mar 31)
- Re: does snort pick up lthe izamoon attack? Jason Haar (Mar 31)
- Re: does snort pick up lthe izamoon attack? Joel Esler (Mar 31)
- Re: does snort pick up lthe izamoon attack? Alex Kirk (Mar 31)